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APPARATUS AND METHOD FOR DISTRIBUTING 
MANAGEMENT KEYS IN A MULTICAST DOMAIN 



FIELD OF THE INVENTION 



The invention generally relates to computers and, more particularly, the invention relates 
to multicast transmissions. 



Multicasting is a well known method of transmitting messages to selected groups of users 
across a network, such as the Internet. One simple example of multicasting entails transmitting 
an E-mail message to a plurality of users that each are on a mailing list. Video conferencing and 
teleconferencing also use multicasting principles and thus, often are referred to as 
"multiconferencing. " 

Security in multicast broadcasts is often provided by encrypting the data and dispensing a 
unique cryptographic key to each of the group members. In a multicast environment, each time 
the membership of the group changes the data group key must be redistributed to maintain 
security. Redistribution occurs via a unicast session between a key distributor and each member 
of the group. If the membership changes often, a new unicast session must be established for 
each member of the group and a new data group key must be sent. This constant rekeying is an 
inefficient use of bandwidth. 



In accordance with one aspect of the invention, a method and apparatus for distributing 
keys in a multicast domain is provided. In a secure multicast domain, a request to join a 
multicast group for a time period occurs. A key distributor which controls access to the multicast 
data group determines if the request will be accepted. If the request is accepted the key distributor 
assigns the member to a virtual channel, wherein each virtual channel is defined by a time period. 
A data group key is forwarded to the member as is a virtual channel key. The member can then 
receive and decode events from the data group on the assigned virtual channel. 



BACKGROUND OF THE INVENTION 



SUMMARY OF THE INVENTION 



When a virtual channel is formed, the virtual channel's time period may be defined by an 
upper bound and a lower bound. When a member joins a virtual channel the member's duration 
may be less than the duration of the virtual channel thereby falling between the virtual channel's 
upper and lower bound. When membership of a virtual channel changes the virtual channel key is 
rekeyed from the key distributor. 
10 The key distributor may form a permanent virtual channel which is associated with an 

unlimited time duration and the key distributor may make a member a temporary member if the 
member's time duration is less than all of the virtual channel's lower bounds. Members which are 
part of a virtual channel may be either lower members or upper members. Lower members' time 
duration falls between the lower and upper bounds of the virtual channel. An upper member has a 
15 time duration which is above the upper bounds of the virtual channel. 

When a virtual channel becomes freed, as the result of an upper member leaving the 
virtual channel; all lower members expiring while there is no upper member whose due 
K date is equal or earlier than the upper bound in the virtual channel; or some lower 

member expiring while the other lower members become temporary members; the 
l[^0 virtual channels are rotated. As the virtual channels are rotated the upper and lower bounds of 

each virtual channel are reassigned. If no members of a virtual channel change during the process 
of rotation the virtual channel key need not be rekeyed. 
^ W In accordance with another aspect of the invention, another method and apparatus for 

41 distributing keys in a multicast is provided. A secure multicast session is created in a domain 

'''^5 having a plurality of virtual channels that each have members, each member is associated with 
one of the plurality of multicast virtual channels based on a time-based distribution policy. The 
virtual channel keys are distributed to the members and each member receives one virtual 
channel key based upon their associated virtual channel. The virtual channel keys are rekeyed 
when membership of the virtual channel changes. Further, in the act of distributing the virtual 
30 channel key, the virtual channel key is sent in a unicast session to each member. Each virtual 
channel may be associated with a time duration and no member can be in more than one virtual 
channel. In addition to the virtual channel key, the data group members receive distribution of a 
data key by means of the virtual channel. The time duration of a virtual channel may be 



2 



reassigned if the virtual channel is freed. In an alternative embodiment, the time duration of all 
virtual channels are reassigned if any virtual channel is freed. The act of reassigning may require 
reconfiguring the lower and upper bounds of all virtual channels. 

Preferred embodiments of the invention are implemented as a computer program product 
having a computer usable medium v^ith computer readable program code thereon. The computer 
readable code may be read and utilized by the computer system in accordance with conventional 
processes. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The foregoing and other objects and advantages of the invention will be appreciated more 
fully from the following further description thereof with reference to the accompanying drawings 
wherein: 

Fig. 1 shows two data groups in a domain which receive encryption keys from a key 
distributor; 

Fig, 2 is a flow chart showing the steps taken by a user to become a member of a data 

group; 

Fig. 3 is a flow chart which shows the steps taken by a key distributor in determining if a 
user should become a member of a data group; 

Fig. 4 is a flow chart which shows the steps taken in assigning a member to a virtual 
channel; 

Fig. 5 shows a key distributor communicating with members in a data group over 
multiple virtual channels in an example of the methodology for encryption key distribution; 
Fig. 6 shows the results of changes to Fig. 5 that occur on day two; 
Fig. 7 shows the results of changes to Fig. 5 that occur on day three; 
Fig. 8 shows the results of changes to Fig. 5 that occur on day six; 
Fig. 9 shows the results of changes to Fig. 5 that occur on day eight; 
Fig. 10 shows the results of changes to Fig. 5 that occur on day ten; 
Fig. 1 1 shows the results of changes to Fig. 5 that.occur on day thirteen; and 
Fig. 12 shows the results of changes to Fig. 5 that occur on day fifteen. 




DESCRIPTION OF SPECIFIC EMBODIMENTS 

The term "domain" in this specification and the appended claims shall refer to a 
group of computers or devices on a network that are administered as a unit with 
common rules and procedures. Within the Internet, domains are defined by the IP 
address. All devices sharing a common part of the IP address are said to be in the same 
10 domain. 

Fig. 1 schematically shows an exemplary multicast domain 100 in which 
preferred embodiments of the invention may be implemented. The domain 100 
preferably is executing in accordance with a known multicast protocol, such as the 
protocol independent multicast protocol ("PIM protocol"). Principles of the invention 
15 may be applied to other multicast protocols, such as the Multicast Extension to OSPF 
r$ (Open Shortest Path First). 

'I A multicast data group, or simply a data group, is a multicast address 

representing a community of members who are interested in particular stream(s) of 

f data. In Fig. 1, two multicast data groups are shown for exemplary purposes. Both data 

11^20 group 1 and data group 2 reside within secure domain 100. Fig. 1 also shows a key 
distributor (KD) which is a key management entity that is responsible for 
distributing/ redistributing keys to individual members of a multicast group to 

i=J maintain security. In Fig. 1 there are two key distributors, one for each data group. In 

other embodiments there may only be one key distributor for multiple data groups. 

25 

Becoming a Member 

Fig. 2 shows a flow chart of the steps taken by a member joining a data group. A 
user wishing to become a member of a multicast data group joins the multicast data 
group using IGMP (Internet Group Management Protocol). IGMP is a well known 
30 protocol in the art. Further, the user indicates a time period for which to join the group 
(210). A user then receives a response from the key distributor. (220). The key 
distributor may reject or accept the user based on data group acceptance criteria. The 
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acceptance criteria is described below. Upon acceptance to the data group, the user 
becomes a member. A member may either be a temporary member and not assigned to 
a virtual charmel or a regular member and assigned to a virtual channel. A virtual 
channel is a logical communication link between the key distributor and a subset of 
data group members. Typically, a virtual channel is identified by an administratively- 
10 scoped multicast address. A member then receives a virtual channel key if the member 
is a not a temporary member. Thereafter, the member receives the data group key via 
the virtual charmel or if a temporary member by a unicast session. Data from the data 
group is then distributed. The data is transmitted in encrypted form to the user via the 
virtual channel. If the member is a temporary member the data is received through a 
15 unicast session. The data is decrypted by applying the data group key. The data may 
Q then be accessed by the member. 

Ig . The Key Distributor 

The key distributor contains a distribution policy which determines the number 
of virtual channels and the upper and lower time defined bounds for the virtual 
ilJ20 channels. A policy should contain at least two rules: (1) temporary rule: temporary 
members are associated with no virtual channel, and (2) permanent rule: permanent 
t members are associated with a fixed virtual charmel. An example of a distribuition 
i'J policy will be provided below. Fig. 3 shows a flow chart of the steps taken by the Key 

ijj Distributor in assigning a virtual channel. The key distributor maintains a number of 

25 virtual channels based on the distribution policy (310). In assigning virtual channels, the 
key distributor receives a request to join a data group which includes a due date (320). 
The key distributor determines the status of the user trying to become a member and 
the time period requested for the user to join the data group (330). If the user meets the 
acceptance criteria for joining the data group, the key distributor then assigns the user 
30 to a virtual channel (350). The acceptance is then sent to the user (360). If the user does 
not meet with the acceptance scheme the key distributor sends a message denying 
access to the data group (360). 
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Once a user has been accepted as a member, the key distributor determines the 
member's virtual channel assignment which is shown in the flow chart of Fig. 4. First 
the key distributor determines if the time period that the user requested is in excess of 
the minimum set in the distribution policy for joining a permanent channel (410). If this 
is the case, the member is assigned to a permanent channel (450). If this is not the case, 
the key distributor then determines whether the requested time period is less than the 
minimum time period associated with any virtual channel (420). If the outcome to this 
query is yes the member is considered a temporary member and is not assigned a 
virtual channel (440). In all other instances, the member is assigned to the virtual 
channel where the time period for which the member requested falls between the upper 
and lower bounds of a virtual channel (430). The key distributor then sends a virtual 
channel key by means of a unicast session to the member and then the key distributor 
sends the data group key to the member. In one embodiment of the invention, the key 
distributor distributes the encrypted data of the data group to the members by means of 
standard multicast fowarding in other embodiments, another entity distributes the 
encrypted data. 

The key distributor receives signals from members when they wish to join or 
leave a virtual channel and redistributes the data group key to all remaining members. 
In virtual channels in which no member joins or leaves the group, the data group key is 
redistributed via the multicast virtual channels. In the virtual channel where a member 
joins or leaves, the data group key is redistributed by unicast session to all members of 
the virtual channel. A virtual channel key is only redistributed when a member leaves 
or joins a particular virtual channel. If a member does not join or leave the virtual 
channel, the virtual charmel key need not be redistributed for that virtual channel. In 
such a rekeying scheme bandwidth is saved, since the data group key may be 
redistributed primarily through the virtual charmels, limiting the number of unicast 
connections. Additionally, bandwidth is conserved for the charmel key by only 
rekeying the channel key to members by unicast session when members join or leave 



the channel and not rekeying a channel in which membership remains constant. 
Acceptance Policy 

In the request to join the data group, the user must indicate a date upon which 
membership in the group is to expire which, for convenience, is referred to as the 
member's due date. The acceptance of a due date may be constrained by the key 
administrator based on some criteria. For instance, a request to join a data group may 
occur and based upon the e-mail address of the user, the user may be denied 
membership because the user has selected a due date which is not within the choices 
which are acceptable for the user. The key distributor provides a selection of limited 
due dates based on the user's e-mail address. The user, may then select the most 
appropriate choice. In a system in which greater flexability is desired for the user's 
selection, the key distributor allows the user to enter any due date. The key distributor 
then compares the e-mail address and due date to a list stored in memory. If the due. 
date selected falls outside of the range of due dates allowed for the e-mail address the 
user is denied membership. 
Channel Assignment 

The time period from the current clock time to the due date is called the 
member's due time. A member with a due time which is shorter than any virtual 
channel is called a temporary member. Temporary members are associated with no 
virtual channel. A member with due time exceeding a certain period is called a 
permanent member and is associated with a constant virtual channel. In Fig. 1, 
members 21,22,23 of data group 1 are associated with a due date. Member 21 has a due 
time which expires in 2 days, and has a due date of Jan. 2, member 22 expires in 3 days 
and has a due date on Jan. 3, and member 23 expires in 14 days and has a due date of 
Jan 14. Member 24 is a permanent member and is assigned to the permanent virtual 
channel. Member 28 is a temporary member and is not assigned to a virtual channel. 

In establishing the virtual channels, the key distributor associates each virtual 
channel with a time period. Each virtual channel has an upper and lower bound which 



are dates associated with the time period of the virtual channel. The lower bound of a 
virtual channel is the earliest due date limit required for members associated with the 
virtual channel. A member can be assigned to the virtual channel only if the member's 
due date is not earlier than the lower bound of the virtual channel. The upper bound of 
a virtual channel is the latest due date limit required for members associated with the 
virtual channel. A member in a data group is assigned to a virtual channel if the 
member's due date is not later than the upper bound. For example in Fig. 1, virtual 
channel A has a lower bound of Jan. 1 and an upper bounds of Jan. 5. If a new group 
member with a due date of Jan. 6 joins the member will not be assigned to and carmot 
join virtual charuiel A, rather this new member would be assigned to virtual channel B. 

The due date of a virtual channel is a due date after which all members whose 
due dates are earlier than the upper bound of the virtual charmel will expire. Members 
in a virtual channel whose due dates are earlier than the due date of the virtual channel 
are called lower members, and all others are called upper members. For example, 
channel A of Fig. 1 is a valid channel for a five day period which begins on Jan. 1 and 
expires on Jan. 5. Member 21 which is valid for 2 days (from Jan. 1-2) and Member 22 
which is valid for 3 days (from Jan. 1-3) are considered to be lower members since their 
due dates fall between the upper and lower bounds of the channel and the due date of 
the channel is considered to be Jan. 3. For data group 2, virtual channel C has three 
members 31, 32 and 33. Member 33 is an upper member, since its due date Jan. 9 is 
greater than the upper bounds of virtual channel C, Jan. 6. A member may only become 
an upper member once rekeying occurs when a virtual channel is freed as described 
below. A member cannot be initially assigned to a virtual charmel by the key distributor 
as an upper member since this will violate the distribution policy. For example, virtual 
channel A of Fig.l is a valid virtual channel for a five day period which begins on Jan.l 
and expires on Jan. 5. Member 21 which is valid for 2 days (from Jan. 1-2) and Member 
22 which is valid for 3 days (from Jan 1-3) are considered to be lower members since 
their due dates fall between the upper and lower bounds of the virtual channel and the 
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" due date of the virtual channel is considered to be Jan. 3. For data group 1, virtual 

channel c has three members 31, 32, and 33. Member 33 is an upper member, since its 
due date Jan. 9 is greater than the upper bounds of virtual channel C, Jan 6. 
Key Distribution 

After the virtual charmels are determined by the distribution policy and the 
10 members are assigned to a virtual charmel, the virtual channel key for the encrypted 
channel is forwarded to the members through a urucast session. To each temporary 
member, the key distributor sends the data group key through a secure unicast session. 
Once the virtual channel key is received by the data group members the key distributor 
may send the data group key by way of the virtual channel. In Fig. 1, key distributor 20 
15 distributes virtual channel keys first for virtual channels A and B via a urucast session 
L'Sj and then sends the data group key for the group on the assigned virtual channels A and 

% B. Likewise key distributor 30 distributes through a unicast session the virtual channel 

keys to virtual channels C and D to members 31,32,33,34 and 35. Then the data group 
key for data group 2 is distributed to the members through their respective virtual 
ry20 channels. The key distributor may perform rekeying periodically for the data group 

key. To do this, the key distributor may obtain or generate a new key for the data 
ill gi'oup, and sends the new key for the data group on the virtual channel. The virtual 

==;J channel key need not be redistributed unless a channel becomes freed or the 

i j membership of the virtual channel changes. 

25 A virtual channel is freed if (1) an upper member expires; (2) all lower members 

expire while there is no upper member whose due date is equal or earlier than the 
upper bound in the virtual channel; or (3) some lower member expires while the other 
lower members become temporary members. When a virtual channel expires, the 
remaining lower members change to temporary members and all upper members will 
30 be disassociated from the virtual channel and the virtual channel is then freed. The 

upper members are then reassigned to another virtual channel in which the member's 
due date is between the upper and lower bounds of the virtual channel. 
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A default virtual channel may be included in case a member does not fit within 
any of the virtual channels. Typically a member in the default virtual channel has a due 
date earlier than the lower bound of the permanent virtual channel, but is later than all 
other upper bounds. A member with the earliest due date in the default virtual channel 
is called a lower edge member of the default virtual channel. The due date of a lower 
edge member of the default virtual channel is called the lower bound of the default 
virtual channel. The upper bound of the default virtual channel is the lower bound of 
the permanent virtual charmeL 
Rekeying When Membership of the Group Changes 

When a member joins the data group, the key distributor determines whether the 
member is a temporary member. If so, the key distributor sends the existing data group 
key to the temporary member through a unicast session. When a temporary member 
expires or leaves, the member is no longer qualified for receiving data for the data 
group and thus the key distributor no longer forwards the data group key to this 
expired member. When this occurs, the key distributor rekeys the entire data group. In 
this case, the key distributor obtains or generates a new key for the data group, and 
applies the data group key distribution procedure to the new key. 

If a new member joins a data group and has a due date which is later than the 
lower bound of a certain virtual channel, the key distributor assigns the virtual channel, 
sends the virtual channel key to the member through a unicast session with the 
member, requests the member to join the virtual channel through IGMP Membership 
Report messages, and sends the data group key to the member through the virtual 
channel. 

When a member leaves a data group, the key distributor has to do rekeying for 
the data group. If the leaving member is associated with a virtual channel, the key 
distributor generates a new vritual channel key for the virtual charuiel, and sends the 
new virtual channel key to each individual member (excluding the leaving member) 
through a unicast session. The key distributor then obtains or generates a new data 
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group key for the data group, and applies the data group key distribution procedure to 
the new data group key. If, as a result, the virtual channel expires, the key distributor 
will further process the expiration of the virtual channel as described below. 

If a member associated with a virtual channel expires, it is no longer qualified for 
receiving data for the data group through the multicast secure virtual channel The key 
distributor has to do rekeying for both the virtual channel and the data group. To do 
rekeying for the virtual channel, the key distributor obtains or generates a new virtual 
channel key for the virtual channel, and applies the virtual channel key distribution 
procedure to the new virtual channel key. However, the new virtual channel key should 
not be distributed to the expiring member. To do rekeying for the data group, the key 
distributor obtains or generates a new data group key for the data group, and applies 
the data group key distribution procedure to the new data group key. 

Before proceeding with the rekeying, the key distributor should determine if the 
virtual channel has been freed as a result of the member's expiration. If the charmel has 
expired, the key distributor processes the expiration of the channel as described in the 
next section and then performs rekeying for the data group. Otherwise, the key 
distributor performs rekeying for both the charmel and the data group. 
Rekeying When a Virtual Channel is Freed 

For the following discussion, the virtual channels are arranged in the order of 
expiration so that the virtual channel with the lowest upper bounds is the bottom 
virtual channel and the virtual channel with the highest upper bounds is the top virtual 
channel. The default virtual channel is ordered before the permanent virtual channel 
but after other virtual channels. We call the virtual channel immediately followed by 
the default virtual channel as the top virtual charmel while the first virtual charmel is 
called the bottom virtual channel. There is no gap between the upper bound of a virtual 
charmel and the lower bound of the subsequent virtual channel, except that there may 
be a gap between the top virtual channel and the default virtual channel. The virtual 
channel list, starting from the bottom virtual channel and ending with the default 
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virtual channel, is called the virtual channel chain. Such a classification of order is only 
for illustrative purposes as all virtual channels are virtual and do not have an actual 
order or physical location. 

When the bottom virtual channel is freed, the key distributor rotates the virtual 
channel chain in such a way that the virtual channel following the bottom virtual 
channel becomes the bottom virtual channel, the default virtual channel becomes the 
top virtual charmel, and the freed bottom virtual channel becomes the default virtual 
channel. The term "rotate" is provided for illustrative purposes, since no physical 
rotation actually occurs. When virtual channels are "rotated" new upper and lower 
bounds are associated with the virtual channel, however the members of the virtual 
channel may remain and therefore the virtual channel key need not be rekeyed. The 
lower and upper bounds of all virtual channels from the bottom through the top virtual 
channel should be reconfigured in accordance with the distribution policy. If after the 
reconfiguration, the due date of the lower edge member of the original default virtual 
channel is later than its new upper bound as the top virtual channel, the key distributor 
swaps the new the top virtual channel and the new default virtual channel such that, 
the original default virtual channel remains as the default one, the freed bottom virtual 
channel becomes the new the top virtual channel, and the lower and upper bounds of 
the new the top virtual channel are reset in accordance with the distribution policy. 
After rotating the virtual channel chain the key distributor should not move members 
between various virtual channels in the virtual channel chain. 

A virtual channel can expire while still having members in the virtual channel. 
By definition when the virtual channel expires all lower members have expired, 
however upper members may still be present. In this case, the key distributor frees the 
expiring virtual channel, and rotates the virtual channel chain. For each upper member 
of the expiring virtual channel, the key distributor re-assigns the upper member to 
another virtual channel according to the key distribution policy, sends the upper 
member the virtual channel key for the new virtual charmel through the urucast secure 



12 



session, and requests the upper member to join the new virtual charmel through IGMP 
Membership Report messages. The key distributor then obtains or generates a new data 
group key for the data group, and applies the data group key distribution procedure to 
the new data group key. 
An Example 

Figs. 5-12 presents an example of the methodology used in distributing keys in a 
multicast. This example is not meant to limit the scope of the invention and is provided 
to show some of the possible situations that occur in applying the method. In this 
example a key distributor has the following key distribution policy: 

A member whose due time is one day is a temporary member; 

A member whose due time is equal or greater than one month is a permanent 
member; 

: A member whose due time is between one day and two days is in the bottom 
virtual channel; 

A member whose due time is between three days and one week is in the second 
virtual channel; 

A member whose due time is between one week and two weeks is in the top 
virtual channel. 

In Fig. 5, Ml-MlO and MlOO are members of a data group which are assigned to 
a virtual charmel or are temporary members. The key distributor KD provides the 
virtual channel key and the data group key to each of the members. The numbers 
associated with Ml through MIO are due dates. On Jan. 1st members Ml and M2 are 
temporary members and have no associated virtual channel. M3 through MIO are 
placed in virtual channel Gel through Gc4 according to their due dates. Each member's 
due date falls between the lower and upper bounds of the virtual channel which are the 
indicated number ranges. All members of the virtual charmels are lower members, since 
rotation has not yet occurred. MlOO is a permanent member. 

Fig. 6 shows the group distribution on January 2nd. Temporary member Ml and 
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M2 expire, but new member Mil and M12 join as temporary members. As a result, the 
key distributor generates a new data group key distributing the data group key to the 
temporary members in a unicast session and delivering the data group key to all other 
members via their respective virtual channels. Virtual charmel membership of Gel, Gc2, 
Gc3, or Gc4 does not change and therefore the key distributor does not redistribute any 
virtual channel keys. 

Fig. 7 shows the group distribution on January 3rd. Temporary member Mil and 
M12 expire. M3 expires, member M4 of Gel becomes a temporary member since M4's 
due date is Jan. 3, and as a result, virtual channel Gel is freed. The virtual channel chain 
is rotated. Gc2 becomes the bottom virtual channel and Gel becomes the top virtual 
channel. Gc2 being the bottom virtual channel is valid for only the next two days which 
are Jan. 4-5. Likewise Gc3 is valid for the next 3 days after Gc2 expires which is Jan. 6-9. 
The top virtual channel. Gel is valid for seven days after the expiration of Gc3 from Jan. 
10-16. M13 joins as a temporary member. M14, with a due date as January 16, joins and 
is assigned to Gel because M14 falls within the bounds of Gel. The data group key is 
redistributed since group membership has changed and the virtual channel key for Gel 
is changed and redistributed to M14. 

Fig. 8 shows the group distribution on January 6th. Temporary members M4 and 
M13 expire while members M15 and M16 join as temporary members. Member M5 
expires, which triggers Gc2 to be freed. The virtual channel chain is then rotated and 
Gc3 becomes the bottom virtual channel and Gc2 becomes the top virtual channel. M6, 
which was an upper member of freed virtual channel Gc2, is reassigned to Gc3, since 
M6 falls within the upper and lower bounds of Gc3. Since the membership of Gc2 and 
Gc3 changed, the key distributor provides new virtual charmel keys to all of the 
members of the virtual channels. Additionally the data group membership changes and 
the data group key is redistributed to all members. 

Fig. 9 shows the group distribution on January 8th. Temporary member M15 and 
M16 expire and M18 and M19 join as temporary members.. M6 expires, which triggers 
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Gc3 freed. The virtual channel chain is rotated. Gel becomes the bottom virtual charmel, 
Gc4 becomes the top virtual channel and Gc3 becomes the default virtual channel. M7 
which was previously part of Gc3 is reassigned to Gel, since Gel has an upper and 
lower bounds of Jan 8-9 and M7's due date is on Jan. 9th. M8 is reassigned to Gc2 
because Gc3 is freed and MS falls within the bounds of Gc2. M20 joins and is assigned to 
the default virtual charmel because its due date is greater than that of the upper virtual 
virtual charuiel, but not longer than one month to become a permanent member. 

Fig. 10 shows the group distribution on January 10th. Temporary member MIS 
and M19 expire and M21 and M22 join as temporary members. M7 expires, which 
triggers Gel freed. The virtual channel chain is rotated. Gc2 becomes the bottom virtual 
channel and Gel becomes the top virtual channel. No members of virtual channels Gc2, 
Gc3 or Gc4 change and therefore the virtual charmel key for these virtual channels is not 
rekeyed. The virtual channel key for Gel is rekeyed since M7 has left. Also, since M7 
has left the data group key is rekeyed. Each time a member joins or leaves the data 
group the data group key is rekeyed. 

Fig. 11 shows the group distribution on January 13th. Temporary member M21 
and M22 expire. MS expires, which triggers Gc2 freed. The virtual charmel chain is 
rotated. Gc4 becomes the bottom virtual channel and Gc2 becomes the top virtual 
channel. M17 is re-assigned to Gc4. M23 and M24 join as temporary members. 

Fig. 12 shows the group distribution on January 15th. Temporary member M23 
and M24 expire. M17 expires, which triggers Gc4 freed. The virtual channel chain is 
rotated. Gel becomes the bottom virtual charmel and Gc3 becomes the top virtual 
channel. Gc4 changes back as the default virtual charmel. M9 is re-assigned to Gc2, and 
MIO is assigned to Gc4. M23 and M24 join as temporary members. 

Preferred embodiments of the invention may be implemented in any 
conventional computer programming language. For example, preferred embodiments 
may be implemented in a procedural programming language {e.g., "C") or an object 
oriented programming language (e.g., "C++"). Alternative embodiments of the 
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invention may be implemented as preprogrammed hardware elements (e.g., application 
specific integrated circuits), or other related components. 

Alternative embodiments of the invention may be implemented as a computer 
program product for use with a computer system. Such implementation may include a 
series of computer instructions fixed either on a tangible medium, such as a computer 
readable media {e,g,, a diskette, CD-ROM, ROM, or fixed disk), or transmittable to a 
computer system via a modem or other interface device, such as a communications 
adapter cormected to a network over a medium. The medium may be either a tangible 
medium {e.g., optical or analog communications lines) or a medium implemented with 
wireless techniques {e.g., microwave, infrared or other transmission techniques). The 
series of computer instructions preferably embodies all or part of the functionality 
previously described herein with respect' to the system. Those skilled in the art should 
appreciate that such computer instructions can be written in a number of programming 
languages for use with many computer architectures or operating systems. 
Furthermore, such instructions may be stored in any memory device, such as 
semiconductor, magnetic, optical or other memory devices, and may be transmitted 
using any communications technology, such as optical, infrared, microwave, or other 
transmission technologies. It is expected that such a computer program product may be 
distributed as a removable medium with accompanying printed or electronic 
documentation {e.g., shrink wrapped software), preloaded with a computer system {e.g., 
on system ROM or fixed disk), or distributed from a server or electronic bulletin board 
over the network {e.g., the Internet or World Wide Web). 

Although various exemplary embodiments of the invention have been disclosed, 
it should be apparent to those skilled in the art that various changes and modifications 
can be made which will achieve some of the advantages of the invention without 
departing from the true scope of the invention. These and other obvious modifications 
are intended to be covered by the appended claims. 
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